I bet you try to authenticate without starttls and anonymous
try with starttls on 389 or with ssl on 636 with the user ldapservice (the password is /var/lib/nethserver/secrets/ldapservice)
yes try âuid=ldapservice,ou=People,dc=directory,dc=nhâ with the password
this remotely is workable
[root@ns7loc9 ~]# ldapsearch -D cn=ldapservice,dc=directory,dc=nh -w 'V_85617fr2bK3Csj' -H ldaps://192.168.56.12:636
Still no luck:
inside the vm running nethserver succeeds:
ldapsearch -H ldaps://172.28.0.1:636 -D cn=ldapservice,dc=directory,dc=nh -w 5TpsW_xgFCNx_hXN
from outside fails:
ldapsearch -H ldaps://192.168.122.84:636 -D cn=ldapservice,dc=directory,dc=nh -w 5TpsW_xgFCNx_hXN
What could I be doing wrong?
1 Like
could you try to bind remotely over starttls with the admin user
[root@ns7loc9 ~]# ldapsearch -b dc=directory,dc=nh -ZZ -h 192.168.56.12 -D uid=admin,ou=People,dc=directory,dc=nh -W
fill the admin password, it works on my VM
two-feet-brake-step.
1: IMVHO is not a nice thing have this binding working, because every admin password change the bind goes messy.
2: is aqua network part of the trusted networks?
no it is a specific network only reachable from the firewall
Is viable correct and proper tell the container to look for the GREEN IP address of the installation or should look for the AQUA IP address of NethServer/CentOS?
the local IP of the NethServer is reachable from aqua
[root@ns7loc7 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e2784a928e83 sutoj/piler:1.3.10 "/start.sh" 27 hours ago Up 31 seconds (health: starting) 25/tcp, 80/tcp, 443/tcp docker_piler_1
46c3432d6f86 mariadb:10.4 "docker-entrypoint.sâŠ" 27 hours ago Up 5 minutes 3306/tcp docker_mysql_1
d7d108a8c6a1 memcached:latest "docker-entrypoint.sâŠ" 27 hours ago Up 5 minutes 11211/tcp docker_memcached_1
[root@ns7loc7 docker]# docker exec -ti e2784a928e83 /bin/bash
root@e2784a928e83:/# ping 192.168.56.8
PING 192.168.56.8 (192.168.56.8) 56(84) bytes of data.
64 bytes from 192.168.56.8: icmp_seq=1 ttl=64 time=0.180 ms
64 bytes from 192.168.56.8: icmp_seq=2 ttl=64 time=0.130 ms
I give up for today:
ldapsearch -b dc=directory,dc=nh -ZZ -h 192.168.122.84 -D uid=admin,ou=People,dc=directory,dc=nh -W
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
It exits with the above error before asking for the password. By running ngrep on port 389 thereâs a tcp connection and response from the ldap server.
I have NethServer 7.9.2009 installed.
1 Like
i am on a clue, however it is better to enable logging to ldap for debugging
https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-directory.html#logging
will report ASAP
Feb 1 22:47:44 ns7loc7 slapd[27787]: conn=1152 fd=22 TLS established tls_ssf=256 ssf=256
Feb 1 22:47:44 ns7loc7 slapd[27787]: conn=1152 op=0 BIND dn="uid=admin,ou=People,dc=directory,dc=nh" method=128
Feb 1 22:47:44 ns7loc7 slapd[27787]: conn=1152 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed
Feb 1 22:47:44 ns7loc7 slapd[27787]: conn=1152 op=1 UNBIND
Feb 1 22:47:44 ns7loc7 slapd[27787]: conn=1152 fd=22 closed
Feb 1 22:48:03 ns7loc7 slapd[27787]: conn=1153 fd=22 ACCEPT from IP=172.28.0.4:60762 (IP=0.0.0.0:389)
Feb 1 22:48:03 ns7loc7 slapd[27787]: conn=1153 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Feb 1 22:48:03 ns7loc7 slapd[27787]: conn=1153 op=0 STARTTLS
Feb 1 22:48:03 ns7loc7 slapd[27787]: conn=1153 op=0 RESULT oid= err=0 text=
Feb 1 22:48:03 ns7loc7 slapd[27787]: conn=1153 fd=22 closed (TLS negotiation failure)
Feb 1 22:48:28 ns7loc7 slapd[27787]: conn=1154 fd=22 ACCEPT from IP=172.28.0.4:41076 (IP=0.0.0.0:636)
Feb 1 22:48:28 ns7loc7 slapd[27787]: conn=1154 fd=22 closed (TLS negotiation failure)
not a firewall issue, we can contact the firewall
[root@ns7loc7 docker]# docker exec -ti e2784a928e83 /bin/bash
root@e2784a928e83:/# ldapsearch -b dc=directory,dc=nh -ZZ -H ldap://192.168.56.8 -D uid=admin,ou=People,dc=directory,dc=nh -W
ldap_start_tls: Connect error (-11)
root@e2784a928e83:/# ldapsearch -b dc=directory,dc=nh -H ldaps://192.168.56.8 -D uid=admin,ou=People,dc=directory,dc=nh -W
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I think the container misses something related to ssl to negotiate the connection
true
Feb 1 22:54:20 ns7loc7 slapd[27787]: conn=1156 fd=22 ACCEPT from IP=172.28.0.4:41196 (IP=0.0.0.0:636)
Feb 1 22:54:20 ns7loc7 slapd[27787]: conn=1156 fd=22 closed (TLS negotiation failure)
Feb 1 22:54:45 ns7loc7 slapd[27787]: conn=1157 fd=22 ACCEPT from IP=172.28.0.4:60902 (IP=0.0.0.0:389)
Feb 1 22:54:45 ns7loc7 slapd[27787]: conn=1157 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Feb 1 22:54:45 ns7loc7 slapd[27787]: conn=1157 op=0 STARTTLS
Feb 1 22:54:45 ns7loc7 slapd[27787]: conn=1157 op=0 RESULT oid= err=0 text=
Feb 1 22:54:45 ns7loc7 slapd[27787]: conn=1157 fd=22 closed (TLS negotiation failure)Thank you for helping me in the debugging. The docker image missed the ca-certificates package. After installing it I can authenticate just fine using ldap.
Iâll experiment with some email aliases, groups, etc. and compile the required ldap settings to authenticate against nethserverâs ldap server. Also Iâll fix soon the sutoj/piler-1.3.10 image.
1 Like
A few more ideas or improvements
I can see that nethserver supports email aliases, however instead of putting them to ldap as well, they got into postfixâs virtual file. I think it might be better to instruct postfix to read the aliases from ldap as well. In that case the piler gui could also read the email aliases from ldap.
I managed to create a group (group1), and added two members (user1 and user2). I enabled that let group1 be assigned its own email address, eg. group1@acts.hu. However, I canât find this group email address using ldapsearch and not even in /etc/postfix files. Perhaps I missed something.
Also it would be nice if the group email address, ie. group1@acts.hu could be found using an ldap query.
This as been asked few times I think, however I wonder if the default postfix version of centos can handle it, I sounds me something here
cc @davidep can you help us here ?
The aliases DB of NethServer comes from the e-smith AccountsDB: we canât change that because it is the backend used by Nethgui and Cockpit.
Postfix can read aliases from multiple sources, though. A custom template might be enough to plug-in an additional aliases backend, based on a LDAP or SQL database.
It could be nice for NS8.
1 Like
lucky guy, I still cannot authenticate from the container
root@e2784a928e83:/# ldapsearch -b dc=directory,dc=nh -H ldaps://192.168.56.8 -D cn=ldapservice,dc=directory,dc=nh -w '7FqUh9I_wPvOQXxg'
Feb 2 15:45:05 ns7loc7 slapd[1546]: conn=1012 fd=22 ACCEPT from IP=172.28.0.4:46346 (IP=0.0.0.0:636)
Feb 2 15:45:05 ns7loc7 slapd[1546]: conn=1012 fd=22 TLS established tls_ssf=256 ssf=256
Feb 2 15:45:05 ns7loc7 slapd[1546]: conn=1012 fd=22 closed (connection lost)
what package did you install exactly for the sake of developers ?
On ubuntu the package is called âca-certificatesâ.
1 Like
yes I installed this one, but no luck what ldap query did you use ?
By the way did you test an imap authentication ?
From inside the container:
ldapsearch -x -H ldaps://172.28.0.1 -D âuid=piler,ou=People,dc=directory,dc=nhâ -b âdc=directory,dc=nhâ -w piler123
ldapsearch -x -H ldaps://172.28.0.1 -D cn=ldapservice,dc=directory,dc=nh -b âdc=directory,dc=nhâ -w 5TpsW_xgFCNx_hXN
Both queries work. Anyway, Iâll discard the current vm, and try to recreate to make sure it works. Iâll keep you posted.
No, I havenât tried the imap authentication yet. Iâll test it after the redeployment.
1 Like